ImageSpot
(image-spot.com)
| Controller | XOR SOLUTIONS LIMITED Company No. 15744696 Registered office: Flat 44 Ennerdale House, 121 Hamlets Way, London, England, E3 4TY |
| Website | image-spot.com Contact: info@image-spot.com |
| Scope | Website browsing, customer accounts, orders, digital image downloads, prepaid generation credits/tokens, support queries, and related analytics / fraud-prevention activity |
| Legal framework | This policy is drafted for UK-facing website operations and follows a UK GDPR / Data Protection Act 2018 style structure, without limiting any mandatory rights that may also apply in the EEA or other jurisdictions. |
Effective date: 11 March 2026
Version: Website Legal Pack – Doc 3
This Privacy Policy explains how personal data is collected, used, shared, retained, and protected when you visit the Website, create an account, purchase AI-generated digital content, purchase or use generation credits/tokens, submit prompts, or contact us.
| Key privacy points at a glance We collect account, order, billing, technical, and support data needed to operate the Website and deliver digital products and credits. Prompt inputs and generated outputs may be processed to provide the image-generation service, maintain service quality, and investigate misuse or complaints. We use selected service providers, such as hosting, payment, analytics, communications, and security vendors, under appropriate contractual and operational controls. We do not need a phone number for ordinary policy contact; privacy requests may be sent to info@image-spot.com. Where personal data is transferred outside the UK, we rely on appropriate safeguards where legally required. |
Quick data-use matrix
| Data category | Typical examples | Main purposes | Typical legal basis |
| Identity and account data | name, username, email, password hash, account settings | account setup, login, user support, fraud prevention | contract / legitimate interests |
| Order and payment data | order ID, purchase history, billing address, currency, payment status | checkout, bookkeeping, customer service, refund / dispute handling | contract / legal obligation / legitimate interests |
| Prompt and output data | text prompts, generation settings, generated images, download records | deliver the service, troubleshoot issues, quality review, misuse investigations | contract / legitimate interests |
| Technical and usage data | IP address, device/browser data, cookies, log files, session data | security, analytics, performance, abuse monitoring | legitimate interests / consent where required |
| Communications data | support emails, contact-form messages, complaint files, attachments | responding to enquiries, record-keeping, dispute resolution | contract / legitimate interests / legal claims |
1. Who we are
For the purposes of applicable data-protection law, the controller of personal data processed through image-spot.com is XOR SOLUTIONS LIMITED, company number 15744696, registered office Flat 44 Ennerdale House, 121 Hamlets Way, London, England, E3 4TY.
You may contact us regarding privacy matters at info@image-spot.com. Where this policy refers to “we”, “us”, or “our”, it means XOR SOLUTIONS LIMITED and, where relevant, trusted service providers acting on our documented instructions.
2. Scope of this policy
This policy applies to personal data processed through the Website, including browsing activity, account creation, login sessions, product pages, checkout, delivery of digital images, delivery and redemption of generation credits/tokens, prompt submission, generated outputs, support interactions, compliance reviews, and security monitoring.
This policy does not replace any separate business-to-business agreement, data-processing agreement, or enterprise services contract that may apply to bespoke services. Where a separate contract sets out specific privacy arrangements for a particular service relationship, that contract will prevail to the extent of any inconsistency.
3. Categories of personal data we may collect
Depending on how you interact with the Website, we may collect and otherwise process the following categories of personal data:
- identity and profile data, such as your name, display name, username, email address, account credentials, and account preferences;
- transaction and order data, such as order references, purchased products, credits/tokens purchased or used, billing information, currency, payment status, and refund or chargeback records;
- prompt and generation data, such as text prompts, generation parameters, generation history, selected styles, generated outputs, and download / access events;
- technical and device data, such as IP address, browser type, operating system, device identifiers, log files, timestamps, approximate location inferred from network signals, and error diagnostics;
- usage and analytics data, such as page views, clickstream behaviour, session information, referral sources, cookie identifiers, and performance measurements;
- communications data, such as support emails, contact-form messages, complaint submissions, attachments, and records of our correspondence;
- risk, fraud, and compliance data, such as suspicious activity indicators, abuse reports, account-restriction logs, sanctions screening results where applicable, and evidence relevant to disputes or legal claims.
4. How we collect personal data
We collect personal data directly from you when you browse the Website, fill in forms, create an account, place an order, purchase credits/tokens, submit prompts, contact support, or otherwise interact with us.
We also collect certain data automatically through cookies, local storage, server logs, security controls, and similar technologies when you use the Website. Additional information may be received from payment processors, fraud-prevention vendors, hosting providers, analytics vendors, customer-service tools, or other service providers involved in the operation of the Website.
5. How we use personal data
We use personal data only where there is a legitimate operational, contractual, compliance, or legal basis to do so. Main purposes include:
- providing the Website and enabling secure access to user accounts;
- processing purchases and delivering digital images, credits/tokens, and related services;
- operating the AI image-generation workflow, storing generation history where needed for service continuity, and making outputs available to the relevant user account;
- communicating with users about orders, service notices, refunds, disputes, and support matters;
- improving product performance, troubleshooting technical issues, and understanding how the Website is used;
- preventing fraud, abuse, intellectual-property misuse, unlawful prompts, chargeback manipulation, and other harmful or prohibited activity;
- maintaining accounting, tax, legal, and corporate records;
- establishing, exercising, or defending legal claims and complying with lawful requests from authorities or courts.
6. Legal bases for processing
Depending on the context, we may rely on one or more of the following legal bases under applicable law:
- performance of a contract or steps taken at your request before entering into a contract, for example to create and administer your account, take payment, and supply digital products or credits/tokens;
- our legitimate interests, for example to secure the Website, prevent abuse, improve performance, manage disputes, and operate the business efficiently, provided that such interests are not overridden by your rights and interests;
- compliance with a legal obligation, for example where retention, accounting, tax, fraud-prevention, or law-enforcement cooperation duties apply;
- consent, where this is required by law, for example for non-essential cookies or similar technologies, or for certain optional marketing communications if used.
7. Prompt inputs and generated outputs
Because the Website includes AI-enabled image generation, prompt inputs and generated outputs may contain personal data, either because you include it in your prompt or because uploaded or generated materials can be linked back to you. You should avoid including personal data in prompts unless it is necessary and lawful for you to do so.
We may process prompts, generation settings, and generated outputs to provide the requested service, maintain service quality, resolve support issues, investigate abuse, enforce our Terms & Conditions, and comply with legal or rights-holder complaints. We do not treat generated outputs as anonymous merely because they were produced by an AI-enabled workflow.
Where the service allows downloading or storing generated outputs, records of delivery, access, and download events may be kept as evidence of fulfilment, licensing, security events, and dispute handling.
8. Cookies and similar technologies
We use cookies and similar technologies for core website functionality, security, login persistence, shopping-cart continuity, analytics, and performance monitoring. Some cookies are strictly necessary for the Website to function properly. Others are optional and may require consent depending on the jurisdiction and the nature of the technology used.
More detailed information should be read together with our Cookie Policy and any cookie banner or consent-management tool displayed on the Website.
9. Sharing personal data
We may share personal data only where reasonably necessary with categories of recipients such as:
- hosting and infrastructure providers, content-delivery and security providers, and website support vendors;
- payment processors, fraud-prevention vendors, and finance or bookkeeping service providers;
- analytics, communication, or customer-support platform providers;
- professional advisers such as lawyers, accountants, auditors, or insurers;
- courts, regulators, law-enforcement bodies, or other authorities where disclosure is legally required or reasonably necessary to protect our rights or the rights of others;
- a buyer, investor, or successor entity in connection with a merger, reorganisation, financing, sale of assets, or similar corporate transaction, subject to appropriate confidentiality measures.
We do not sell personal data in the ordinary meaning of selling customer data to third parties for independent exploitation.
10. International transfers
Some of our service providers or technical systems may be located outside the United Kingdom. Where personal data is transferred internationally and applicable law requires safeguards, we will seek to use an appropriate transfer mechanism, such as adequacy regulations, approved contractual safeguards, or other lawful measures relevant to the transfer in question.
International data transfers may also occur where you access the Website from outside the UK or where cloud-based systems used to operate the service process data in multiple jurisdictions.
11. Data retention
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including delivery of services, account management, financial record-keeping, fraud prevention, legal compliance, complaint handling, and dispute resolution.
Retention periods vary by data type. For example, account records, order history, and payment records may be retained for longer than session or analytics data because of tax, accounting, legal, and evidential requirements. Prompt and generation history may be retained for service continuity, user access, troubleshooting, abuse review, or evidential purposes, subject to technical feasibility and business need.
When data is no longer required, we will seek to delete, anonymise, or otherwise securely dispose of it, unless continued retention is required or permitted by law.
12. Data security
We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, loss, and unlawful destruction. Measures may include encrypted web sessions, access controls, password protection, role-based access, monitoring, secure hosting, backup procedures, and vendor-management controls.
No internet-based service can be guaranteed to be completely secure. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly if you believe your account or personal data may have been compromised.
13. Your rights
Subject to applicable law and relevant exemptions, you may have the right to request access to personal data, rectification of inaccurate data, erasure, restriction of processing, objection to certain processing, data portability, and withdrawal of consent where processing is based on consent.
These rights are not absolute and may be limited where, for example, continued processing is necessary for contractual delivery, compliance, fraud prevention, legal claims, or the rights and freedoms of others.
To exercise a rights request, please contact info@image-spot.com and provide enough information to help us verify your identity and understand the request. We may request further information where reasonably necessary to protect personal data and prevent unauthorised disclosure.
14. Marketing communications
Where we send marketing communications, we will do so in accordance with applicable law. You may opt out of non-essential marketing communications at any time using the unsubscribe mechanism in the message or by contacting us. Transactional and service-related communications may still be sent where necessary for account administration, order fulfilment, or legal purposes.
15. Children and minors
The Website is not intended to be used in breach of applicable age restrictions or by persons who cannot lawfully enter into the relevant contract under applicable law. Where we become aware that personal data has been collected in circumstances that require deletion or other protective action, we may take appropriate remedial measures.
16. Third-party links and services
The Website may contain links to third-party websites, payment tools, social-media pages, plugins, or other external services. We are not responsible for the privacy practices of third parties acting as independent controllers. You should review the privacy information of those third parties separately before interacting with their services.
17. Complaints
If you have a concern about how personal data is handled, please contact us first at info@image-spot.com so that we can review the matter. If you remain dissatisfied and applicable law provides such a right, you may complain to the relevant supervisory authority, including the UK Information Commissioner’s Office where appropriate.
18. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to the Website, services, product model, technology stack, legal obligations, or operational practice. The latest version will be posted on the Website with an updated effective date.
19. Contact details
Privacy enquiries and rights requests: info@image-spot.com.
Controller: XOR SOLUTIONS LIMITED – company number 15744696 – registered office: Flat 44 Ennerdale House, 121 Hamlets Way, London, England, E3 4TY.